The occurrence of a data breach is always a stressful experience that usually results in reputational damage and direct and indirect costs for the organization that can continue for months, even years.
According to the recent “Cost of a Data Breach Report“, PII was the most often type of data lost or stolen in breaches (80%). However, if you take the necessary steps, prepare and react fast, you can at least contain data breach costs, show cooperation with the data protection authority, and save the company reputation.
What is a personal data breach?
A personal data breach is a security breach that can lead to accidental or deliberate loss, destruction, corruption, unauthorized disclosure, or alteration of personal data that can cause material or non-material damages to individuals.
The most important part of this definition is that it has to involve personal data because, while all personal data breaches are security incidents, not all security incidents are necessarily personal data breaches!
A personal data breach means your organization is unable to ensure compliance with the GDPR and principles relating to the processing of personal data (Article 5).
Differentiating security incidents from personal data breaches will help you decide whether you are obligated to report a specific incident to the supervisory authority or not.
You are only obligated to report a breach concerning personal information and only in certain situations.
How to respond when a personal data breach occurs
When a personal data breach occurs, you will have to assess the severity of potential risks for an individual’s rights and freedoms.
If it is likely that there will be a risk, then you must notify the supervisory authority.
If it is highly unlikely that the breach would affect personal data, then you are not obligated to report it.
How to decide whether you should notify the supervisory authority?
We advise considering different ways in which the data breach can affect individuals when assessing the impact.
A personal data breach can result in physical, material or non-material damage to individuals such as:
- Loss of control over their personal data
- Limitation of their rights
- Identity theft or fraud
- Financial loss
- Unauthorized reversal of pseudonymization
- Damage to reputation
- Loss of confidentiality
- or any other significant economic or social disadvantage to the natural person concerned. Recital 85
It is important since understanding how breach impacts individuals and what kind of damage it can cause can help you decide whether you are obligated to notify individuals or not.
The obligation to contact individuals will have to be assessed for each case individually.
The safest way to be sure you are compliant is to ask for guidance and direction from your national supervisory authority.
WP29 EXAMPLE #1
If personal data is unintelligible to unauthorized parties (using an encryption key that was not compromised) a confidentiality breach involving properly encrypted personal data may not need to be notified to the supervisory authority.
This is because such a breach is unlikely to pose a risk to individuals’ rights and freedoms.
WP29 EXAMPLE #2
Where personal data are already publically available, and disclosure of such data does not constitute a likely risk to the individual.
When assessing the risk, you should consider both the likelihood and severity of the risk to the rights and freedoms of data subjects.
Regardless of your assessment and outcome of the decision, you should document it since it will make it easier for you to justify it if necessary.
What should data breach notification include?
- Describe the nature of the personal data breach, including, (where possible) the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
- Include the name and contact details of the DPO or any other contact of the person involved in the process, who can be reached regarding additional information;
- Describe the possible effects of the personal data breach;
- Describe the measures you are taking to address the breach.
The GDPR does not define categories of data subjects or personal data records that should be specified in the notification.
However, it is advised to define categories of data subjects whose personal data has been affected by a breach, like children, people with disabilities, or employees. The same goes for special categories of data.
If you do not know all information that notification requires, do not let that keep you from reporting a breach.
You can always fill in the information later on. The focus should always be on containing the damages and protecting individuals, numbers are there to help us grasp the magnitude of the breach.
Should you notify individuals about the personal data breach?
You are obligated to inform the individuals about the breach without undue delay if it is likely to result in a high risk to their rights and freedoms.
How can you tell if the risk is high? The risk is higher if the effect of the violation is more severe; if the probability of the consequences is greater, then again the risk is higher.
Notification to the data subjects should include all information that you have reported to the data protection authority.
Besides explaining the nature of the personal data breach, you should notify individuals about the name and contact details of your DPO (or other contact points), a description of the possible consequences of the breach, and the description of the measures taken to resolve the occurred situation with the breach.
- Description of the nature of the breach;
- The name and contact details of the data protection officer or other contact points;
- Description of the likely consequences of the breach;
- Description of the measures taken or proposed to be taken by the controller to address the breach
One of the reasons individuals need to be aware of the breach is to help them protect themselves from the consequences of the breach.
The GDPR states that if any personal data breach occurs, the controller needs to immediately, no later than 72 hours after becoming aware of a personal data breach, notify the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority).
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” (Article 33)
Where the notification to the supervisory authority is not made within 72 hours, you will have to name the reasons for the delay.
According to the WP29 guidelines when notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed.
You can find the list of all data protection authorities that supervise the application of the data protection law and find out how you can report a data breach.
What is the role of the data processors?
The GDPR requires both controllers and processors to have appropriate technical and organizational measures in place, to ensure a level of security appropriate to the risk posed to the personal.
The processor is obligated to notify the controller without undue delay after becoming aware of a personal data breach.
If you are cooperating with data processors, you need to sign a contract between you as a data controller and them as your processor. All the requirements on breach reporting should be put in the contract and described in detail.
Data processors must assist data controllers in notifying data breaches or in conducting a Data Protection Impact Assessment (DPIA).
Proper breach procedures require data processors to understand what constitutes a data breach and react according to their responsibilities.
That is a great indicator of how preparing and planning can make a huge financial difference for the organization.
Make sure to develop your internal policies and procedures related to dealing with the occurrence of personal data breaches.
You can standardize operational procedures for data breaches, and they will help you guide your way during personal data breach incidents.
You should always know what needs to be done before, during, and after the occurrence of the data breach.
The standard operating procedure needs to set the risk profile of personal data in each section of the data controller’s system and provide the details necessary to enable the controller to conduct the steps of the risk assessment.
Think about your overall GDPR compliance. If you haven’t already, you should have a compliant record of processing activities, third-party management, data subject requests, and consent management to begin with. You can try how this works with our privacy software: